SPAN Vs Tap

A Detailed Explanation

In a basic network infrastructure, there are out-of-band monitoring devices such as probes, intrusion detection systems, network recorders and network analyzers.

It is common to deploy an out-of-band monitoring device to sit passive on the network without modifying or altering any of the network traffic. Two ways to passively monitor your network include using a Switch Port Analyzer (SPAN) port or a Test Access Point (TAP).

As mentioned, there are two common approaches to deploying a passive device in an out-of-band fashion: connecting the device to either a Switch Port Analyzer (SPAN) or a Test Access Point (TAP).

A SPAN is a dedicated port on a managed switch that takes a mirrored copy of network traffic off the switch to be sent to a monitoring device. A passive TAP is used mainly in fiber-optic networks, where it receives traffic from both directions of the network and will split the incoming light so that 100% of traffic is seen on the monitoring tool.

Both approaches will not affect the real network traffic and the out-of-band appliance can be connected and disconnected from the network without any downtime or disruption. Also, if the monitoring device fails for whatever reason, such as a power failure or software malfunction, traffic will continue to flow on the network as usual.

This white paper offers a comprehensive overview of the two approaches for out-of-band network visibility, SPAN and TAP, as well as an in-depth explanation of the differences between them.